I do have DNSSEC validation enabled, however all tests validate successfully. When I run $ delv twitterdatadash.com ;; resolution failed: SERVFAIL
On Sat, 14 May 2022 at 21:30, <[email protected]> wrote: > Send Unbound-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. Only one domain failing to resolve, unbound pi-hole (BangDroid) > 2. Re: Only one domain failing to resolve, unbound pi-hole > (Georg Pfuetzenreuter) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 14 May 2022 13:06:26 +0930 > From: BangDroid <[email protected]> > To: [email protected] > Subject: Only one domain failing to resolve, unbound pi-hole > Message-ID: > < > caa3iksf5pvefzfoq1n8t_wgyj+rv-of6ertxbxur24v2chb...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Kind of pulling my hair out with this one.. The domain twitterdatadash.com > will > not resolve with unbound recursively. I get SERVFAIL. > > root.hints is up to date, local time on raspi is accurate. No other domains > are failing. > > Both dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 and dig > sigok.verteiltesysteme.net @127.0.0.1 -p 5335 are as expected. > > Switching to an upstream DNS in Pi-hole will get the domain to successfully > resolve, as well as using a standard DNS forward-zone in > unbound.conf.d/pi-hole.conf: > > forward-zone: > name: "." > forward-addr: 8.8.8.8 > > However, if I use a DoT forward zone (because suspected possible? DNS > hijacking by ISP): > > tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt > forward-zone: > name: "." > forward-addr: 1.1.1.1@853#cloudflare-dns.com > forward-addr: 1.0.0.1@853#cloudflare-dns.com > forward-ssl-upstream: yes > > Everything works exactly as expected, including https://1.1.1.1/help > **except** twitterdatadash.com remains SERVFAIL. > > Paste of dig outputs with various unbound configurations: > https://pastebin.com/k1LtjzHB > > pi-hole.conf: https://pastebin.com/szLmcNFj > > unbound logs greped with "twitterdatadash" : > > 'default' pihole.conf : https://pastebin.com/JmgUDSRv > > with DoT: https://pastebin.com/k3UgdZD4 > > Accessing that domain is not crucial by any means, I am only concerned it > may be indicative of a bigger issue. It seems like there must be an issue > with my configuration somewhere, but every test I run appear to indicate no > issue. Is it possible the issue is not my end? Anyone have any ideas? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Sat, 14 May 2022 09:27:17 +0200 > From: Georg Pfuetzenreuter <[email protected]> > To: [email protected] > Subject: Re: Only one domain failing to resolve, unbound pi-hole > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Maybe you have DNSSEC validation enabled? > > $ delv twitterdatadash.com > ; unsigned answer > twitterdatadash.com. 7200 IN A 34.96.91.68 > > > On 5/14/22 05:36, BangDroid via Unbound-users wrote: > > Kind of pulling my hair out with this one.. The domain > > twitterdatadash.com <http://twitterdatadash.com/>?will not resolve with > > unbound recursively. I get SERVFAIL. > > > > root.hints is up to date, local time on raspi is accurate. No other > > domains are failing. > > > > Both dig sigfail.verteiltesysteme.net > > <http://sigfail.verteiltesysteme.net/>[email protected] <http://127.0.0.1/>?-p > > > 5335 and dig sigok.verteiltesysteme.net > > <http://sigok.verteiltesysteme.net/>[email protected] <http://127.0.0.1/>?-p > > 5335 are as expected. > > > > Switching to an upstream DNS in Pi-hole will get the domain to > > successfully resolve, as well as using a standard DNS forward-zone in > > unbound.conf.d/pi-hole.conf: > > > > ? ? forward-zone: > > ? ? name: "." > > ? ? forward-addr: 8.8.8.8 > > > > However, if I use a DoT forward zone (because suspected possible? DNS > > hijacking by ISP): > > > > ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt > > ? ? forward-zone: > > ? ? ? ? name: "." > > ? ? ? ? forward-addr: 1.1.1.1@853#cloudflare-dns.com > > <http://cloudflare-dns.com/> > > ? ? ? ? forward-addr: 1.0.0.1@853#cloudflare-dns.com > > <http://cloudflare-dns.com/> > > ? ? ? ? forward-ssl-upstream: yes > > > > Everything works exactly as expected, including https://1.1.1.1/help > > <https://1.1.1.1/help>?**except** twitterdatadash.com > > <http://twitterdatadash.com/>?remains SERVFAIL. > > > > Paste of dig outputs with various unbound configurations: > > https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB> > > > > pi-hole.conf: https://pastebin.com/szLmcNFj < > https://pastebin.com/szLmcNFj> > > > > unbound logs greped with "twitterdatadash" : > > > > 'default' pihole.conf : https://pastebin.com/JmgUDSRv > > <https://pastebin.com/JmgUDSRv> > > > > with DoT: https://pastebin.com/k3UgdZD4 <https://pastebin.com/k3UgdZD4> > > > > Accessing that domain is not crucial by any means, I am only concerned > > it may be indicative of a bigger issue. It seems like there must be an > > issue with my configuration somewhere, but every test I run appear to > > indicate no issue. Is it possible the issue is not my end? Anyone have > > any ideas? > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > [email protected] > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 29, Issue 9 > ******************************************** >
